[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.35' (ECDSA) to the list of known hosts. syzkaller login: [ 40.082326][ T6793] IPVS: ftp: loaded support on port[0] = 21 executing program [ 41.224030][ T6793] ================================================================== [ 41.232244][ T6793] BUG: KASAN: use-after-free in hci_chan_del+0x33/0x130 [ 41.239150][ T6793] Read of size 8 at addr ffff8880a9591f18 by task syz-executor081/6793 [ 41.247370][ T6793] [ 41.249687][ T6793] CPU: 0 PID: 6793 Comm: syz-executor081 Not tainted 5.8.0-rc7-syzkaller #0 [ 41.258322][ T6793] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.268391][ T6793] Call Trace: [ 41.271655][ T6793] dump_stack+0x1f0/0x31e [ 41.275956][ T6793] print_address_description+0x66/0x5a0 [ 41.281471][ T6793] ? printk+0x62/0x83 [ 41.285471][ T6793] ? vprintk_emit+0x339/0x3c0 [ 41.290119][ T6793] kasan_report+0x132/0x1d0 [ 41.294594][ T6793] ? hci_chan_del+0x33/0x130 [ 41.299152][ T6793] hci_chan_del+0x33/0x130 [ 41.303538][ T6793] l2cap_conn_del+0x4c2/0x650 [ 41.308184][ T6793] ? l2cap_connect_cfm+0x12b0/0x12b0 [ 41.313436][ T6793] hci_conn_hash_flush+0x127/0x200 [ 41.318516][ T6793] hci_dev_do_close+0xb7b/0x1040 [ 41.323425][ T6793] ? hci_unregister_dev+0x159/0x1590 [ 41.328721][ T6793] hci_unregister_dev+0x16d/0x1590 [ 41.333805][ T6793] ? vhci_open+0x290/0x290 [ 41.338188][ T6793] vhci_release+0x73/0xc0 [ 41.342486][ T6793] __fput+0x2f0/0x750 [ 41.346444][ T6793] task_work_run+0x137/0x1c0 [ 41.351002][ T6793] do_exit+0x601/0x1f80 [ 41.355127][ T6793] ? call_rcu+0x509/0x840 [ 41.359431][ T6793] do_group_exit+0x161/0x2d0 [ 41.363993][ T6793] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 41.370026][ T6793] __do_sys_exit_group+0x13/0x20 [ 41.374930][ T6793] __se_sys_exit_group+0x10/0x10 [ 41.379837][ T6793] __x64_sys_exit_group+0x37/0x40 [ 41.384829][ T6793] do_syscall_64+0x73/0xe0 [ 41.389213][ T6793] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 41.395073][ T6793] RIP: 0033:0x444fe8 [ 41.398932][ T6793] Code: Bad RIP value. [ 41.402968][ T6793] RSP: 002b:00007ffe96e46e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.411491][ T6793] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444fe8 [ 41.419445][ T6793] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 41.427400][ T6793] RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.435434][ T6793] R10: 00007f5ee25cd700 R11: 0000000000000246 R12: 0000000000000001 [ 41.443379][ T6793] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 41.451438][ T6793] [ 41.453739][ T6793] Allocated by task 6821: [ 41.458043][ T6793] __kasan_kmalloc+0x103/0x140 [ 41.462776][ T6793] kmem_cache_alloc_trace+0x234/0x300 [ 41.468119][ T6793] hci_chan_create+0x9a/0x270 [ 41.472780][ T6793] l2cap_conn_add+0x66/0xb00 [ 41.477361][ T6793] l2cap_connect_cfm+0xdb/0x12b0 [ 41.482266][ T6793] hci_event_packet+0x1164c/0x18260 [ 41.487433][ T6793] hci_rx_work+0x236/0x9c0 [ 41.491834][ T6793] process_one_work+0x789/0xfc0 [ 41.496666][ T6793] worker_thread+0xaa4/0x1460 [ 41.501308][ T6793] kthread+0x37e/0x3a0 [ 41.505346][ T6793] ret_from_fork+0x1f/0x30 [ 41.509738][ T6793] [ 41.512041][ T6793] Freed by task 1530: [ 41.515997][ T6793] __kasan_slab_free+0x114/0x170 [ 41.520906][ T6793] kfree+0x10a/0x220 [ 41.524779][ T6793] hci_event_packet+0x304e/0x18260 [ 41.529861][ T6793] hci_rx_work+0x236/0x9c0 [ 41.534249][ T6793] process_one_work+0x789/0xfc0 [ 41.539067][ T6793] worker_thread+0xaa4/0x1460 [ 41.543713][ T6793] kthread+0x37e/0x3a0 [ 41.547752][ T6793] ret_from_fork+0x1f/0x30 [ 41.552131][ T6793] [ 41.554432][ T6793] The buggy address belongs to the object at ffff8880a9591f00 [ 41.554432][ T6793] which belongs to the cache kmalloc-128 of size 128 [ 41.568570][ T6793] The buggy address is located 24 bytes inside of [ 41.568570][ T6793] 128-byte region [ffff8880a9591f00, ffff8880a9591f80) [ 41.581730][ T6793] The buggy address belongs to the page: [ 41.587334][ T6793] page:ffffea0002a56440 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a9591800 [ 41.597708][ T6793] flags: 0xfffe0000000200(slab) [ 41.602527][ T6793] raw: 00fffe0000000200 ffffea0002a5a648 ffffea00028a4a08 ffff8880aa400700 [ 41.611083][ T6793] raw: ffff8880a9591800 ffff8880a9591000 000000010000000a 0000000000000000 [ 41.619630][ T6793] page dumped because: kasan: bad access detected [ 41.626010][ T6793] [ 41.628304][ T6793] Memory state around the buggy address: [ 41.633902][ T6793] ffff8880a9591e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.641936][ T6793] ffff8880a9591e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.649963][ T6793] >ffff8880a9591f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.658000][ T6793] ^ [ 41.662832][ T6793] ffff8880a9591f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.670867][ T6793] ffff8880a9592000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.678894][ T6793] ================================================================== [ 41.686927][ T6793] Disabling lock debugging due to kernel taint [ 41.703368][ T6793] Kernel panic - not syncing: panic_on_warn set ... [ 41.709960][ T6793] CPU: 0 PID: 6793 Comm: syz-executor081 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 41.720000][ T6793] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.730032][ T6793] Call Trace: [ 41.733291][ T6793] dump_stack+0x1f0/0x31e [ 41.737590][ T6793] panic+0x264/0x7a0 [ 41.741453][ T6793] ? trace_hardirqs_on+0x30/0x80 [ 41.746358][ T6793] kasan_report+0x1c9/0x1d0 [ 41.750839][ T6793] ? hci_chan_del+0x33/0x130 [ 41.755398][ T6793] hci_chan_del+0x33/0x130 [ 41.759782][ T6793] l2cap_conn_del+0x4c2/0x650 [ 41.764425][ T6793] ? l2cap_connect_cfm+0x12b0/0x12b0 [ 41.769687][ T6793] hci_conn_hash_flush+0x127/0x200 [ 41.774767][ T6793] hci_dev_do_close+0xb7b/0x1040 [ 41.779668][ T6793] ? hci_unregister_dev+0x159/0x1590 [ 41.784921][ T6793] hci_unregister_dev+0x16d/0x1590 [ 41.790012][ T6793] ? vhci_open+0x290/0x290 [ 41.794393][ T6793] vhci_release+0x73/0xc0 [ 41.798690][ T6793] __fput+0x2f0/0x750 [ 41.802645][ T6793] task_work_run+0x137/0x1c0 [ 41.807223][ T6793] do_exit+0x601/0x1f80 [ 41.811345][ T6793] ? call_rcu+0x509/0x840 [ 41.815643][ T6793] do_group_exit+0x161/0x2d0 [ 41.820199][ T6793] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 41.826229][ T6793] __do_sys_exit_group+0x13/0x20 [ 41.831133][ T6793] __se_sys_exit_group+0x10/0x10 [ 41.836037][ T6793] __x64_sys_exit_group+0x37/0x40 [ 41.841027][ T6793] do_syscall_64+0x73/0xe0 [ 41.845412][ T6793] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 41.851267][ T6793] RIP: 0033:0x444fe8 [ 41.855123][ T6793] Code: Bad RIP value. [ 41.859156][ T6793] RSP: 002b:00007ffe96e46e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.867541][ T6793] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444fe8 [ 41.875595][ T6793] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 41.883533][ T6793] RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.891472][ T6793] R10: 00007f5ee25cd700 R11: 0000000000000246 R12: 0000000000000001 [ 41.899419][ T6793] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 41.908565][ T6793] Kernel Offset: disabled [ 41.912875][ T6793] Rebooting in 86400 seconds..